Ask Leo: Is Changing My Password Enough?

I regularly hear from people who’ve had their email or other online account
compromised, who somehow are able to recover access to it and change their
password, only to have the account stolen almost immediately again.

The problem is actually quite simple, though the solution is a bit of
work.

First, you have to realize that while someone else has access to your account
they have access to everything related to that account.

Second, you have to realize that because of that, changing your password
just isn’t enough.

You authenticate with most online systems by providing a user name and a
password. Your username might well be publicly visible, but your password
should be known only to you.

Most systems also provide a mechanism whereby you can recover or reset your
password should you forget it. They use a variety of means, but they all boil
down to the same thing: they use one or more additional pieces of information
to validate that you are who you say you are, and then reset or reissue your
password.

“It’s those ‘additional pieces of information’ that
present the greatest risk once your account has been compromised.”

It’s those “additional pieces of information” that present the greatest risk
once your account has been compromised.

Let’s look at some examples of what I mean, why they’re a risk, and what you
should do about each in addition to changing your password.

Leo Notenboom has been involved in the tech industry for nearly 30 years. After retiring from an 18 year career as a Microsoft Software Engineer Leo went on to create Ask Leo!, a free web site where he answers real questions from ordinary computer users.